<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Common Kerberos exceptions | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'trb-security-kerberos.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/trb-security-kerberos.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/trb-security-kerberos.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/trb-security-kerberos.html" rel="nofollow" target="_blank">../en/trb-security-kerberos.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="security-troubleshooting.html">Troubleshooting security</a></span>
»
<span class="breadcrumb-node">Common Kerberos exceptions</span>
</div>
<div class="navheader">
<span class="prev">
<a href="trb-security-ssl.html">« Common SSL/TLS exceptions</a>
</span>
<span class="next">
<a href="trb-security-saml.html">Common SAML issues »</a>
</span>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="trb-security-kerberos"></a>Common Kerberos exceptions<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/troubleshooting.asciidoc">edit</a>
</h2>
</div></div></div>
<p><span class="strong strong"><strong>Symptoms:</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
User authentication fails due to either GSS negotiation failure
or a service login failure (either on the server or in the Elasticsearch http client).
Some of the common exceptions are listed below with some tips to help resolve
them.
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Resolution:</strong></span></p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">Failure unspecified at GSS-API level (Mechanism level: Checksum failed)</code>
</span>
</dt>
<dd>
<p>When you see this error message on the HTTP client side, then it may be
related to an incorrect password.</p>
<p>When you see this error message in the Elasticsearch server logs, then it may be
related to the Elasticsearch service keytab. The keytab file is present but it failed
to log in as the user. Please check the keytab expiry. Also check whether the
keytab contain up-to-date credentials; if not, replace them.</p>
<p>You can use tools like <code class="literal">klist</code> or <code class="literal">ktab</code> to list principals inside
the keytab and validate them. You can use <code class="literal">kinit</code> to see if you can acquire
initial tickets using the keytab. Please check the tools and their documentation
in your Kerberos environment.</p>
<p>Kerberos depends on proper hostname resolution, so please check your DNS infrastructure.
Incorrect DNS setup, DNS SRV records or configuration for KDC servers in <code class="literal">krb5.conf</code>
can cause problems with hostname resolution.</p>
</dd>
<dt>
<span class="term">
<code class="literal">Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))</code>
</span>
</dt>
<dt>
<span class="term">
<code class="literal">Failure unspecified at GSS-API level (Mechanism level: Clock skew too great (37))</code>
</span>
</dt>
<dd>
<p>To prevent replay attacks, Kerberos V5 sets a maximum tolerance for computer
clock synchronization and it is typically 5 minutes. Please check whether
the time on the machines within the domain is in sync.</p>
</dd>
<dt>
<span class="term">
<code class="literal">gss_init_sec_context() failed: An unsupported mechanism was requested</code>
</span>
</dt>
<dt>
<span class="term">
<code class="literal">No credential found for: 1.2.840.113554.1.2.2 usage: Accept</code>
</span>
</dt>
<dd>
<p>You would usually see this error message on the client side when using <code class="literal">curl</code> to
test Elasticsearch Kerberos setup. For example, these messages occur when you are using
an old version of curl on the client and therefore Kerberos Spnego support is missing.
The Kerberos realm in Elasticsearch only supports Spengo mechanism (Oid 1.3.6.1.5.5.2);
it does not yet support Kerberos mechanism (Oid 1.2.840.113554.1.2.2).</p>
<p>Make sure that:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
You have installed curl version 7.49 or above as older versions of curl have
known Kerberos bugs.
</li>
<li class="listitem">
The curl installed on your machine has <code class="literal">GSS-API</code>, <code class="literal">Kerberos</code> and <code class="literal">SPNEGO</code>
features listed when you invoke command <code class="literal">curl -V</code>. If not, you will need to
compile <code class="literal">curl</code> version with this support.
</li>
</ul>
</div>
<p>To download latest curl version visit <a href="https://curl.haxx.se/download.html" class="ulink" target="_top">https://curl.haxx.se/download.html</a></p>
</dd>
</dl>
</div>
<p>As Kerberos logs are often cryptic in nature and many things can go wrong
as it depends on external services like DNS and NTP. You might
have to enable additional debug logs to determine the root cause of the issue.</p>
<p>Elasticsearch uses a JAAS (Java Authentication and Authorization Service) Kerberos login
module to provide Kerberos support. To enable debug logs on Elasticsearch for the login
module use following Kerberos realm setting:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.security.authc.realms.kerberos.&lt;realm-name&gt;.krb.debug: true</pre>
</div>
<p>For detailed information, see <a href="security-settings.html#ref-kerberos-settings" class="ulink" target="_top">Kerberos realm settings</a>.</p>
<p>Sometimes you may need to go deeper to understand the problem during SPNEGO
GSS context negotiation or look at the Kerberos message exchange. To enable
Kerberos/SPNEGO debug logging on JVM, add following JVM system properties:</p>
<p><code class="literal">-Dsun.security.krb5.debug=true</code></p>
<p><code class="literal">-Dsun.security.spnego.debug=true</code></p>
<p>For more information about JVM system properties, see <a href="jvm-options.html" class="ulink" target="_top">configuring JVM options</a>.</p>
</div>
<div class="navfooter">
<span class="prev">
<a href="trb-security-ssl.html">« Common SSL/TLS exceptions</a>
</span>
<span class="next">
<a href="trb-security-saml.html">Common SAML issues »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>